Firmware reversing of the Barracuda Web Application Firewall uncovered development artifacts that should have been removed on the production images. Once the encryption scheme was broken, many QA and development tools were discovered on the affected partitions. Some of these contained sensitive information such as authentication credentials used by internal developers. Firmware version 8.0.1.014 is affected.
41af7991ec90055d2e9576142c80137283f105fdc993d700215ae487f134beef
Firmware reversing of the Barracuda Web Application Firewall uncovered debug features that should have been removed on the production images. Appending a debugging statement onto a grub configuration line leads to an early boot root shell. Firmware version 8.0.1.014 is affected.
e7f34bb9440ee19f081d01c8da99a0e8de3728fcc56a3f073d87f5c8a3cf2ad7
The Postgres database on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 has default hardcoded credentials. While some security measures were taken to ensure that network connectivity to the Postgres database wouldn't be possible using IPv4, the same measures were not taken for IPv6.
ad169956f0f3396698d40c18a3a0e55793e890d9d218704c030183521609a602
The management shell on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 allows the end user to edit the MOTD banner displayed during SSH logon. The editor provided for this is nano. This editor has a keyboard mapped function which lets the user import a file from the local file system into the editor. An attacker can abuse this to read arbitrary files within the allowed permissions.
2a881d9217c48b1606ec88d0bb0823e2e6d7359165db582cfbbd90943ae24f0e
Insufficient input validation in the management interface can be leveraged in order to execute arbitrary commands. This can lead to (root) shell access to the underlying operating system on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1.
fe9867b691ca5367a9f8e75d21f16e8f3d6804f2ad561bedd0abd524a2546349
An attacker can abuse functionality provided by a script which may be run with root privilege in order to elevate privilege on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1.
541cc742cf8744931b966ccfc14ec82005cd85e4a6e1bff7ce5f93c7ba245576
Due to lax filesystem permissions, an attacker can take control of a hardcoded sudo path in order to execute commands as a privileged user on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1.
3f138413d3ee07b7fb98c0ec9430dcebbf62f40cd8ffb3fa592f0455512444f9
WatchGuard XTMv version 11.12 Build 516911 suffers from a cross site request forgery vulnerability.
d76e552d2f0dc7711c0487e3374c5934f3930f35befe6e17dc13aafd7bf6ba4a
Trendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from a remote root access vulnerability.
8207670b7b23f48f93f2a7d157326bcd7fa8384a29863a9824938cd6f5929a09
Trendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from a privilege escalation vulnerability.
d466b761795d8d3086d31d2d398c036a70a01e03515283ad16085a4bf3fe529f
Trendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from an arbitrary file write vulnerability that can lead to remote command execution.
26ab7b4f02561adad2e13b1c460f10e7406f2bed3b1a400caf9cd13b6a2cc8da
Sophos Web Appliance version 4.2.1.3 suffers from a remote code execution vulnerability.
63701a9eb15e305ac51389eaeadb3b1a48ad8b7a79c8e2be9b6f3fa830db7304
Sophos Web Appliance version 4.2.1.3 suffers from a privilege escalation vulnerability. An unprivileged user can obtain an MD5 hash of the administrator password which can then be used to discover the plain-text password.
6c3a7db5cb2b8006c493d363dd8ec25ba892a528fb9c8d8faf875f49faee60aa
Cisco Firepower Threat Management Console suffers from a local file inclusion vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
3bb68d70578902fa49aa28ddac5c00c057ccf7040672b0e7d40d0048e61e4fee
Cisco Firepower Threat Management Console suffers from a remote command execution vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
478bf4dcc23d2ef96d26269234864bc75b3152960f1f077a183667abd3cd5cd2
Cisco Firepower Threat Management Console suffers from a denial of service vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
93b912c298ea153c2c41d2e2762896ea94b468117fac32c32eaf77e232760a41
Cisco Firepower Threat Management Console has hard-coded MySQL credentials in use. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
340707f4d5b3dac91cc48f0c12337c760677cc76dc14f6c4697885df69e314c1
The Ubiquiti AirGateway, AirFiber, and mFi platforms feature remote administration via an authenticated web-based portal. Lack of CSRF protection in the Remote Administration Portal, and unsafe passing of user input to operating system commands executed with root privileges, can be abused in a way that enables remote command execution.
90378a8805d8e7a9d70f57b6789f59dbe576e315ddf496817ce14425c0361204
The Arris DG1670A leverages a combination of technologies to deliver the product functionality. Combining several of these technologies in an unanticipated way will allow an attacker to execute arbitrary commands on the underlying operating system as the most privileged user.
f9f07867f80d6ed81875b0f0f3426862a601d2df3911aea7d48a11a170f6c39b
The Dell Pre-Boot Authentication Driver (PBADRV.sys) contains a vulnerability that can be leveraged to enable an attacker to write arbitrary code. The 'OutputAddress' from the IOCTL call is not validated before it attempts to write to memory. The content of the write is a four-byte hex value that is always greater than that of the kernel base address. Using multiple writes, it may be possible to overwrite the first entry of HalDispatchTable in a way that the entry would point to a user-land address. An attacker need only allocate shellcode at said address and call the ntdll!NtQueryIntervalProfile() function.
4c39d7663202b0e6a4d111b2cedc2d39282bb058581eda40719607e5ea6add5a
Seagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled.
5c61cfee09fbb37a6bafacad5f5ac3b5b476c894b553933c75614523958a3ff4
Linksys EA6100 Wireless Router suffers from an authentication bypass vulnerability.
a8b20e7d7ed604facccbb2ae990af80afdd4329520a1b779fb7446ad55de4272
A vulnerability within the ndvbs module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. suffers from code execution, and local file inclusion vulnerabilities.
f56522b7ad8171646ac1c3eea8d0052f0c4e3db5b5c86c6dd3e9b9fae91e3b70
A vulnerability within the xrvkp module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege.
77a97ac2af8e5d412b8fd4eb9a999feef3db9cd52adba3ce10f5fa61cc3aa2ae
Vulnerabilities within the srvkp module allows an attacker to inject memory they control into an arbitrary location they define or cause memory corruption. IOCTL request codes 0x96002400 and 0x96002404 have been demonstrated to trigger these vulnerabilities. These vulnerabilities can be used to obtain control of code flow in a privileged process and ultimately be used to escalate the privilege of an attacker. Version affected is 6.14.10.3930.
a2a0c9af7028c25243f0a56d26ca9915265d443f37f6c6fd0844ddb64354f2ce